The looming shadow of a US version of GDPR has been around since the European law went into effect last spring. Since that time, there have been several states that have shown interest in enhanced domestic online consumer protection laws with many in various stages of development. One of the most stringent and potentially widely adopted set of new privacy rules comes from California’s agreement last year, which may have many similarities to GDPR, but is still under consideration before a potential 2021 rollout. You can read our thoughts on the proposal here. Just last week, however, Nevada passed their version of a consumer information protection law, beating California to the punch.
The new Nevada law is a much more operator-friendly one than the proposed California law, allowing consumers to opt out of having their data or information sold, rather than the full right of having the information deleted. (You can read the specifics here.) It goes into effect in October.
While the Nevada law is much friendlier than California to operators like your bank, app makers like Uber or Instagram, or any websites that are collecting data, this is still going to have an impact on market researchers, particularly sample providers.
First, this law only impacts Nevada, as the California version would only impact them; however, as each state enacts their own version with differences, it is going to cause a huge headache for sample providers. Panels have panelists across the US, and the providers will have to ensure that they adhere to potentially 50 different versions of the law. That will become just too unwieldy and costly to maintain. Providers will either push for the federal version, or pick one set of standards (likely the strictest) and enforce them across their entire panel. Thus far, California looks like the potential highest standard and, with its large population, will likely be the benchmark until federal legislation is created
A second, and potentially bigger issue, deals directly with the Nevada law and the language about opting out of the sale of information. This presents a huge problem to sample providers, specifically sample aggregators like EMI, who blend different panels for studies. Will panelists, who have opted out of having their information sold, have to be excluded when an aggregator buys sample from the provider? Will they be excluded from projects that contain activities like recontacts, in-home usage testing, or any sort of online user experience tracking? Will there be new factors to consider when checking feasibility around targeting criteria?
What about clients who are paying for the data? Will researchers adapt to things like IP address, a long-used tool for preventing duplication, being removed from their data files? Will less data mean more questions and skepticism around market research?
These are questions that we may not know the answers to until the most stringent and consumer-friendly law goes into effect and major websites, apps, and market researchers are forced into new practices. While no one argues that we all live in an age that needs updated protections and privacy for an online society, it is important that the research industry is not a bystander while these decisions are made.